* [Wed, Apr 03, 2024 at 09:21:41AM +0100] Samuel Henrique:
# Alternative solutions: If we really want to distinguish the case when we don't produce any affected packages but the source contains the vulnerability (a build with different flags might result in an affected package), we can create a new tag to show this: not-affected-build-artifacts.
This. Just marking the CVE as not-affected does not distinguish between deb and deb-src, that are still part of (and shipped by) Debian.
Cheers, Gian Piero.